CTF-All-In-One/doc/6.1.29_pwn_insomnictf2017_the_great_escape3.md
2018-05-24 16:33:36 +08:00

38 lines
1.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 6.1.29 pwn Insomni'hack_teaserCTF2017 The_Great_Escape_part-3
- [题目复现](#题目复现)
- [题目解析](#题目解析)
- [漏洞利用](#漏洞利用)
- [参考资料](#参考资料)
[下载文件](../src/writeup/6.1.29_pwn_insomnictf2017_the_great_escape3)
## 题目复现
```
$ file the_great_escape_part3
the_great_escape_part3: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=08df0c3369b497ee8ed8fca10dbb39ae75ebb273, not stripped
$ checksec -f the_great_escape_part3
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled No PIE RPATH No RUNPATH Yes 0 6 the_great_escape_part3
$ ldd the_great_escape_part3
linux-vdso.so.1 (0x00007ffe0f1e8000)
libjemalloc.so.2 => /usr/lib/libjemalloc.so.2 (0x00007fa5e82dd000)
libc.so.6 => /usr/lib/libc.so.6 (0x00007fa5e7f21000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007fa5e7b98000)
libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007fa5e797a000)
libdl.so.2 => /usr/lib/libdl.so.2 (0x00007fa5e7776000)
libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007fa5e755e000)
/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007fa5e875c000)
libm.so.6 => /usr/lib/libm.so.6 (0x00007fa5e71c9000)
```
64 位动态链接程序,但其使用 jemalloc 替代了 glibc 里的 ptmalloc2很有意思。关于 jemalloc 的更多内容可以参考章节 1.5.11。
## 题目解析
## 漏洞利用
## 参考资料
- https://ctftime.org/task/3311